If a service were going to passkeys for sake of law enforcement or works be so much easier for them to just comply with bypassing auth to access the user data altogether. Passkey implementations originally only supported very credible offline mechanisms and only relaxed those requirements when it became clear the vast majority of people couldn’t handle replacing their devices with passkeys.

For screen lock for the common person it was either that or nothing at all. So demanding a PIN only worked because most of the time the user didn’t have to deal with it owing to touching a fingerprint or face unlock.

People hate passwords and mitigate that aggravation by giving random Internet forum the same password as their bank account. I wouldn’t want to take user passwords because I know I have a much higher risk of a compromise somehow leading to compromise of actually important accounts elsewhere.